[j-nsp] solution to a firewall question

Olivier Benghozi olivier.benghozi at wifirst.fr
Fri Apr 24 06:18:36 EDT 2015 

Yep:

http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-option-multiple-nested-guidelines-for-configuring.html <http://www.juniper.net/documentation/en_US/junos14.2/topics/concept/firewall-filter-option-multiple-nested-guidelines-for-configuring.html>

-> "You cannot configure a firewall filter term that both references another firewall filter and defines a match condition or action. If a firewall filter term includes the filter statement, then it cannot also include the from or then statement."


Without "next term", you are doomed...
So, on EX/QFX you are doomed :)



> Le 24 avr. 2015 à 03:44, Vijesh Chandran <vijesh at juniper.net> a écrit :
> 
> T​his would probably need a tweak. Juniper does not support filter reference inside a term with 'from' inside it. There will be commit error. 
> however let me try this and come back. Thanks for solution.
> 
> -Thanks,
>  VIjesh
> 
> 
> From: Damien DeVille <damien.deville at gmail.com>
> Sent: Thursday, April 23, 2015 5:54 PM
> To: Vijesh Chandran
> Cc: Olivier Benghozi; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] solution to a firewall question
>  
> You are correct -- I misread the documentation.  I think this will achieve you goal  -- Though it would be simpler to write a filter with 2 terms the first to match and count with an action of "next-term" and the second term to classify and shunt the packets into a forwarding class.  
> 
> You can call one filter as part of another, in this example f2 (applied as the input on the interface) calls f1 prior to processing the match conditions in term 1:
> 
> ddeville at testlab-rtr# show
> unit 0 {
>     family inet {
>         filter {
>             input f2;
>         }
>         dhcp;
>     }
> }
> 
> ddeville at testlab-rtr# show firewall
> filter f1 {
>     term 1 {
>         from {
>             protocol tcp;
>             destination-port 80;
>         }
>         then {
>             count tcp_80;
>             accept;
>         }
>     }
> }
> filter f2 {
>     term 1 {
>         filter f1;
>         from {
>             dscp ef;
>         }
>         then {
>             forwarding-class expedited-forwarding;
>             accept;
>         }
>     }
> }
> 
> 
> 
> 
> 
> - Damien
> 
> On Thu, Apr 23, 2015 at 8:24 PM, Vijesh Chandran <vijesh at juniper.net <mailto:vijesh at juniper.net>> wrote:
> Is there a programming difference between 'firewall filter' and 'firewall family inet filter'? (ignore the v4 part of that)?
>   afaik, family inet filter will skip all subsequent term if a packet matches first term. Is that not true for family filter? 
> 
> -Vijesh
> 
> From: Damien DeVille <damien.deville at gmail.com <mailto:damien.deville at gmail.com>>
> Sent: Thursday, April 23, 2015 5:17 PM
> To: Vijesh Chandran
> Cc: Olivier Benghozi; juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
> 
> Subject: Re: [j-nsp] solution to a firewall question
>  
> Actually, my example is incorrect.  Filter f1 should read as follows:
> 
> ddeville at testlab-rtr# show firewall
> filter f1 {
>     term 1 {
>         from {
>             protocol tcp;
>             destination-port 80;
>         }
>         then {
>             count tcp_80;
>         }
>     }
> }
> 
> When written this way, the second filter "f2" will be evaluated as part of the chain.  Seehttp://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195 <http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html#jd0e195>
> 
> 
> 
> - Damien
> 
> On Thu, Apr 23, 2015 at 6:12 PM, Damien DeVille <damien.deville at gmail.com <mailto:damien.deville at gmail.com>> wrote:
> While I don't understand why you have the requirement that you can't use next-term (seems to be arbitrary), you can accomplish this the "input-list" option (https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html <https://www.juniper.net/documentation/en_US/junos14.2/topics/reference/configuration-statement/input-list-edit-interfaces.html>
> ) 
> 
> Here is a sample configuration:
> 
> ddeville at testlab-rtr# show interfaces ge-0/0/0
> unit 0 {
>     family inet {
>         filter {
>             input-list [ f1 f2 ];
>         }
>         address 192.168.1.2/32 <http://192.168.1.2/32>;
>     }
> }
> 
> ddeville at testlab-rtr# show firewall
> filter f1 {
>     term 1 {
>         from {
>             protocol tcp;
>             destination-port 80;
>         }
>         then {
>             count tcp_80;
>             accept;
>         }
>     }
> }
> filter f2 {
>     term 1 {
>         from {
>             dscp ef;
>         }
>         then {
>             forwarding-class expedited-forwarding;
>             accept;
>         }
>     }
> }
> 
> 
> 
> 
> 
> - Damien
> 
> On Thu, Apr 23, 2015 at 5:38 PM, Vijesh Chandran <vijesh at juniper.net <mailto:vijesh at juniper.net>> wrote:
> Hi Olivier,
>  My bad that I didn't specify this in original mail...
> Caveat here is that, next term shall be avoided as per requirement.
> -Thanks,
>  Vijesh
> 
> 
> ________________________________________
> From: juniper-nsp <juniper-nsp-bounces at puck.nether.net <mailto:juniper-nsp-bounces at puck.nether.net>> on behalf of Olivier Benghozi <olivier.benghozi at wifirst.fr <mailto:olivier.benghozi at wifirst.fr>>
> Sent: Thursday, April 23, 2015 11:39 AM
> To: juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
> Subject: Re: [j-nsp] solution to a firewall question
> 
> Replace accept with next term in f1 ?
> 
> next term works across filter list from what I see and according to the documentation (http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html <http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html><http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html <http://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-option-multiple-listed-overview.html>> ).
> 
> 
> Olivier
> 
> > Le 23 avr. 2015 à 17:18, Vijesh Chandran <vijesh at juniper.net <mailto:vijesh at juniper.net>> a écrit :
> >
> > Hi all,
> >  I am wondering if we have a solution to this issue.
> >  I need two firewall attached to an interface as input-list. e.g.: f1 and f2.
> >  Input-list [f1 f2]
> >  f1 to match a condition (all tcp port 80) and accept and count that packet.
> >  f2 to classify those packets based on code points and push to a forwarding class. Is this possible?
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp <https://puck.nether.net/mailman/listinfo/juniper-nsp>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net <mailto:juniper-nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp <https://puck.nether.net/mailman/listinfo/juniper-nsp>

More information about the juniper-nsp mailing list